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[57] ABSTRACT 

The present invention is an elliptic curve cryptosystem 
that uses elliptic curves defined over finite fields com- 
prised of special classes of numbers. Special fast classes 
of numbers are used to optimize the modulo arithmetic 
required in the enciphering and deciphering process. 
The class of numbers used in the present invention is 
generally described by the form 2?— C where C is an 
odd number and is relatively small, for example, no 
longer than the length of a computer word (16-32 bits). 
When a number is of this form, modulo arithmetic can 
be accomplished using shifts and adds only, eliminating 
the need for costly divisions. One subset of this fast class 
of numbers is known as “Mersenne” primes, and are of 
the form 2?— 1. Another class of numbers that can be 
used with the present invention are known as “Fermat” 
numbers of the form 29+ 1. The present invention sys- 
tem whose level of security is tunable, q acts as an en- 
cryption bit depth parameter, such that larger values of 
q provide increased security. Inversion operations nor- 
mally require an elliptic curve algebra can be avoided 
by selecting an inversionless parameterization of the 
elliptic curve. Fast Fourier transform for an FFT multi- 
ply mod operations optimized for efficient Mersenne 
arithmetic, allow the calculations of very large q to 
proceed more quickly than with other schemes. 

19 Claims, 6 Drawing Sheets 
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METHOD AND APPARATUS FOR PUBLIC KEY 

EXCHANGE IN A CRYPTOGRAPHIC SYSTEM 

This is a continuation of application Ser. No. 761,276, 5 
filed Sep. 17, 1991 now U.S. Pat. No. 5,159,632. 

BACKGROUND OF THE PRESENT INVENTION 

1. Field of the Invention 

This invention relates to the field of cryptographic 10 
systems. 

2. Background Art 

A cryptographic system is a system for sending a 
message from a sender to a receiver over a medium so 
that the message is “secure”, that is, so that only the 15 
intended receiver can recover the message. A crypto- 
graphic system converts a message, referred to as 
“plaintext” into an encrypted format, known as “cipher- 
text.” The encryption is accomplished by manipulating 
or transforming the message using a “cipher key” or 20 
keys. The receiver “decrypts” the message, that is, 
converts it from ciphertext to plaintext, by reversing the 
manipulation or transformation process using the cipher 
key or keys. So long as only the sender and receiver 
have knowledge of the cipher key, such an encrypted 25 
transmission is secure. 

A “classical” cryptosystem is a cryptosystem in 
which the enciphering information can be used to deter- 
mine the deciphering information. To provide security, 
a classical cryptosystem requires that the enciphering 30 
key be kept secret and provided to users of the system 
over secure channels. Secure channels, such as secret 
couriers, secure telephone transmission lines, or the like, 
are often impractical and expensive. 

A system that eliminates the difficulties of exchang- 35 
ing a secure enciphering key is known as “public key 
encryption.” By definition, a public key cryptosystem 
has the property that someone who knows only how to 
encipher a message cannot use the enciphering key to 
find the deciphering key without a prohibitively 40 
lengthy computation. An enciphering function is 
chosen so that once an enciphering key is known, the 
enciphering function is relatively easy to compute. 
However, the inverse of the encrypting transformation 
function is difficult, or computationally infeasible, to 45 
compute. Such a function is referred to as a “one way 
function” or as a “trap door function.” In a public key 
cryptosystem, certain information relating to the keys is 
public. This information can be, and often is, published 
or transmitted in a non-secure manner. Also, certain 50 
information relating to the keys is private. This informa- 
tion may be distributed over a secure channel to protect 
its privacy, (or may be created by a local user to ensure 
privacy). 

A block diagram of a typical public key crypto- 55 
graphic system is illustrated in FIG. 1. A sender repre- 
sented by the blocks within dashed line 100 sends a 
plaintext message P to a receiver, represented by the 
blocks within dashed line 115. The plaintext message is 
encrypted into a ciphertext message C, transmitted over 60 
some transmission medium and decoded by the receiver 
115 to recreate the plaintext message P. 

The sender 100 includes a cryptographic device 101, 
a secure key generator 102 and a key source 103. The 
key source 103 is connected to the secure key generator 65 
102 through line 104. The secure key generator 102 is 
coupled to the cryptographic device 101 through line 
105. The cryptographic device provides a ciphertext 
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output C on line 106. The secure key generator 102 
provides a key output on line 107. This output is pro- 
vided, along with the ciphertext message 106, to trans- 
mitter receiver 109. The transmitter receiver 109 may 
be, for example, a computer transmitting device such as 
a modem or it may be a device for transmitting radio 
frequency transmission signals. The transmitter receiver 
109 outputs the secure key and the ciphertext message 
on an insecure channel 110 to the receiver’s transmitter 
receiver 111. 

The receiver 115 also includes a cryptographic de- 
vice 116, a secure key generator 117 and a key source 
118. The key source 118 is coupled to the secure key 
generator 117 on line 119. The secure key generator 117 
is coupled to the cryptographic device 116 on line 120. 
The cryptographic device 116 is coupled to the trans- 
mitter receiver 111 through line 121. The secure key 
generator 117 is coupled to the transmitter receiver 111 
on lines 122 and 123. 

In operation, the sender 100 has a plaintext message P 
to send to the receiver 115. Both the sender 100 and the 
receiver 115 have cryptographic devices 101 and 116, 
respectively, that use the same encryption scheme. 
There are a number of suitable cryptosystems that can 
be implemented in the cryptographic devices. For ex- 
ample, they may implement the Data Encryption Stan- 
dard (DES) or some other suitable encryption scheme. 

Sender and receiver also have secure key generators 
102 and 117, respectively. These secure key generators 
implement any one of several well known public key 
exchange schemes. These schemes, which will be de- 
scribed in detail below, include the Diffie-Hellman 
scheme, the RSA scheme, the Massey-Omura scheme, 
and the ElGamal scheme. 

The sender 100 uses key source 103, which may be a 
random number generator, to generate a private key. 
The private key is provided to the secure key generator 
102 and is used to generate an encryption key e/c. The 
encryption key ejc is transmitted on lines 105 to the 
cryptographic device and is used to encrypt the plain- 
text message P to generate a ciphertext message C pro- 
vided on line 106 to the transmitter receiver 109. The 
secure key generator 102 also transmits the information 
used to convert to the secure key from key source 103 
to the encryption key e*. This information can be trans- 
mitted over an insecure channel, because it is impracti- 
cal to recreate the encryption key from this information 
without knowing the private key. 

The receiver 115 uses key source 118 to generate a 
private and secure key 119. This private key 119 is used 
in the secure key generator 117 along with the key 
generating information provided by the sender 100 to 
generate a deciphering key Djc. This deciphering key 
Djc is provided on line 120 to the cryptographic device 
116 where it is used to decrypt the ciphertext message 
and reproduce the original plaintext message. 

THE DIFFIE-HELLMAN SCHEME 

A scheme for public key exchange is presented in 
Diffie and Heilman, “New Directions in Cryptogra- 
phy,” IEEE Trans. Inform. Theory, vol. IT-22, pp. 
644-654, November 1976 (The “DH” scheme). The DH 
scheme describes a public key system based on the dis- 
crete exponential and logarithmic functions. If “q” is a 
prime number and “a” is a primitive element, then X 
and Y are in a 1:1 correspondence for 1 gX, Yg(q— 1) 
where Y =a* mod q, and X=log 0 Y over the finite field. 
The first discrete exponential function is easily evalu- 
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ated for a given a and X, and is used to compute the 
public key Y. The security of the Diffie-Hellman system 
relies on the fact that no general, fast algorithms are 
known for solving the discrete logarithm function 
X=log a Y given X and Y. 5 

In a Diffie-Hellman system, a directory of public keys 
is published or otherwise made available to the public. 

A given public key is dependent on its associated pri- 
vate key, known only to a user. However, it is not feasi- 
ble to determine the private key from the public key. 10 
For example, a sender has a public key, referred to as 
“ourPub”. A receiver has a public key, referred to here 
as “theirPub”. The sender also has a private key, re- 
ferred to here as “myPri”. Similarly, the receiver has a 
private key, referred to here as “theirPri”. 15 

There are a number of elements that are publicly 
known in a public key system. In the case of the Diffie- 
Hellman system, these elements include a prime number 
p and a primitive element g. p and g are both publicly 
known. Public keys are then generated by raising g to 20 
the private key power (mod p). For example, a sender’s 
public key myPub is generated by the following equa- 
tion: 

myPub=g m >’ Pr ‘(mod p ) Equation (I) 25 

Similarly, the receiver’s public key is generated by 
the equation: 

theirPub =^ heirPri (mod p) Equation (2) jq 

Public keys are easily created using exponentiation 
and modulo arithmetic. As noted previously, public 
keys are easily obtainable by the public. They are pub- 
lished and distributed. They may also be transmitted 35 
over non-secure channels. Even though the public keys 
are known, it is very difficult to calculate the private 
keys by the inverse function because of the difficulty in 
solving the discrete log problem. 

FIG. 2 illustrates a flow chart that is an example of a ^ 
key exchange using a Diffie-Hellman type system. At 
step 201, a prime number p is chosen. This prime num- 
ber p is public. Next, at step 202, a primitive root g is 
chosen. This number g is also publicly known. At step 
203 an enciphering key ex is generated, the receiver’s 45 
public key (theirPub) is raised to the power of the send- 
er’s private key (myPri). That is: 

(theirPub)" 1 ^ (mod p) Equation (3) 

We have already defined theirPub equal to g theirPri 50 
(mod p). Therefore Equation 3 can be given by: 

(giheirPri)myPn ( m(x j p > Equation (4) 

This value is the enciphering key ex that is used to 55 
encipher the plaintext message and create a ciphertext 
message. The particular method for enciphering or 
encrypting the message may be any one of several well 
known methods. Whichever encrypting message is 
used, the cipher key is the value calculated in Equation 60 
4. The ciphertext message is then sent to the receiver at 
step 204. 

At step 205, the receiver generates a deciphering key 
dxrby raising the public key of the sender (myPri) to the 
private key of the receiver (theirPri) as follows: 65 

dp=(myPub)' h ' ,rPn (mod p) Equation (5) 
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From Equation 1, myPub is equal to g m y pri (mod p). 
Therefore: 

dy=(y m y Pn )’b e ‘ rPn (mod p) Equation (6) 

Since (g A } B is equal to (g By*, the encipher key ex and 
the deciphering key djfare the same key. These keys are 
referred to as a “one-time pad.” A one-time pad is a key 
used in enciphering and deciphering a message. 

The receiver simply executes the inverse of the trans- 
formation algorithm or encryption scheme using the 
deciphering key to recover the plaintext message at step 
206. Because both the sender and receiver must use 
their private keys for generating the enciphering key, 
no other users are able to read or decipher the cipher- 
text message. Note that step 205 can be performed prior 
to or contemporaneously with any of steps 201-204. 

RSA 

Another public key cryptosystem is proposed in Ri- 
vest, Shamir and Adelman, “On Digital Signatures and 
Public Key Cryptosystems,” Commun. Ass. Comput. 
Mach., vol. 21, pp. 120-126, February 1978 (The 
“RSA” scheme). The RSA scheme is based on the fact 
that it is easy to generate two very large prime numbers 
and multiply them together, but it is much more diffi- 
cult to factor the result, that is, to determine the very 
large prime numbers from their product. The product 
can therefore be made public as part of the enciphering 
key without comprising the prime numbers that effec- 
tively constitute the deciphering key. 

In the RSA scheme a key generation algorithm is 
used to select two large prime numbers p and q and 
multiply them to obtain n=pq. The numbers p and q 
can be hundreds of decimal digits in length. Then Eu- 
ler’s function is computed as <f>(n)=(p- l)(q — 1). (<J>(n) 
is the number of integers between 1 and n that have no 
common factor with n). tf>( n) has the property that for 
any integer a between 0 and n — 1 and any integer k, 
a *4>(n)+i =a mo d n 

A random number E is then chosen between 1 and 
<f>(n)— 1 and which has no common factors with <J>(n). 
The random number E is the enciphering key and is 
public. This then allows D=E~ ! mod <J>(n) to be calcu- 
lated easily using an extended version of Euclid’s algo- 
rithm for computing the greatest common divisor of 
two numbers. D is the deciphering key and is kept se- 
cret. 

The information (E, n) is made public as the encipher- 
ing key and is used to transform unenciphered, plaintext 
messages into ciphertext messages as follows: a message 
is first represented as a sequence of integers each be- 
tween 0 and n — 1. Let P denote such an integer. Then 
the corresponding ciphertext integer is given by the 
relation C=P £ mod n. The information (D, n) is used as 
the deciphering key to recover the plaintext from the 
ciphertext via P=G D mod n. These are inverse transfor- 
mations because G D =P £C =P* < K n )+ I = P. 

MASSEY-OMURA 

The Massey-Omura cryptosystem is described in U.S. 
Pat. No. 4,567,600. In the Massey cryptosystem, a finite 
field F 9 is selected. The field F 9 is fixed and is a publicly 
known field. A sender and a receiver each select a ran- 
dom integer e between 0 and q — 1 so that the greatest 
common denominator G.C.D. (e, q — 1)= 1. The user 
then computes its inverse D=e _1 mod q— 1 using the 
euclidian algorithm. Therefore, De=l mod q— 1. 
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The Massey-Omura cryptosystem requires that three 
messages be sent to achieve a secure transmission. 
Sender A sends message P to receiver B. Sender A 
calculates random number t A and receiver B calculates 
random number e,g. The sender first sends the receiver 5 
the element P e A . The receiver is unable to recover P 
since the receiver does not know e A - Instead, the re- 
ceiver raises the element to his own private key e^and 
sends a second message P e A e B back to the sender. The 
sender then removes the effect of t A by raising the ele- 10 
ment to the D A .,t, power and returns P e B to the receiver 
B. The receiver B can read this message by raising the 
element to the D e-th power. 

ELGAMAL CRYPTOSYSTEM 

The ElGamal public key cryptosystem utilizes a pub- 
licly known finite field F 9 and an element g of F* 9 . Each 
user randomly chooses an integer a=to a A in the range 
0>a>q— 1. The integer a is the private deciphering 
key. The public enciphering key is the element g° F ? . To 20 
send a message represented by P to a user A, an integer 
K is randomly chosen. A pair of elements of F ? , namely 
( g tf p g aX) are gent t0 A The pi a i ntext message P is 
encrypted with the key g aK . The value g K is a “clue” to 
the receiver for determining the plaintext message P. 25 
However, this clue can only be used by someone who 
knows the secure deciphering key “a”. The receiver A, 
who knows “a”, recovers the message P from this pair 
by raising the first element gK°' A and dividing the result 
into the second element. 30 

ELLIPTIC CURVES 

Another form of public key cryptosystem is referred 
to as an “elliptic curve” cryptosystem. An elliptic curve 
cryptosystem is based on points on an elliptic curve E 3$ 
defined over a finite field F. Elliptic curve cryptosys- 
tems rely for security on the difficulty in solving the 
discrete logarithm problem. An advantage of an elliptic 
curve cryptosystem is there is more flexibility in choos- 
ing an elliptic curve than in choosing a finite field. Nev- 40 
ertheless, elliptic curve cryptosystems have not been 
widely used in computer-based public key exchange 
systems due to their computational intensiveness. Com- 
puter-based elliptic curve cryptosystems are slow com- 
pared to other computer public key exchange systems. 45 
Elliptic curve cryptosystems are described in “A 
Course in Number Theory and Cryptography” (Ko- 
blitz, 1987, Springer-Verlag, New York). 

SUMMARY OF THE INVENTION 

The present invention is an elliptic curve cryptosys- 
tem that uses elliptic curves defined over finite fields 
comprised of special classes of prime numbers. Special 
fast classes of numbers are used to optimize the modulo 
arithmetic required in the enciphering and deciphering 55 
process. The class of numbers used in the present inven- 
tion is generally described by the form 2f-C where C 
is an odd number and is relatively small, (for example, 
no longer than the length of a computer word (16-32 
bits)). go 

When a number is of this form, modulo arithmetic 
can be accomplished using shifts and adds only, elimi- 
nating the need for costly divisions. One subset of this 
fast class of numbers is known as “Mersenne” primes, 
and are of the form 2?— 1. To perform an n mod p oper- 65 
ation where p is a Mersenne prime of the form 2?— 1, 
the q LSB’s are latched and the remaining bits are added 
to these q bits. The first q bits of this sum are latched 
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and the remaining bits are added to them. This process 
continues until the sum has q or fewer bits. This sum is 
the solution. 

Another class of numbers that can be used with the 
present invention are known as “Fermat” numbers of 
the form 2?+ 1, where q is equal to 2 m and m is an inte- 
ger. Modulo arithmetic using a Fermat number involves 
shifting q bits and alternately subtracting and adding 
next successive groups of q bits until the resultant has q 
or fewer bits. 

The present invention provides a system that has 
tunable levels of security, that is the level of security 
desired is adjustable, q acts as an encryption bit depth 
parameter, such that larger values of q provide in- 
creased security. By using a fast class of numbers, only 
shifts and adds are required for modulo arithmetic. 
Inversion operations normally require an elliptic curve 
algebra can be avoided by selecting an inversionless 
parameterization of the elliptic curve. Fast Fourier 
transform (FFT) multiply mod operations, optimized 
for efficient Mersenne arithmetic, allow the calculations 
of very large q to proceed more quickly than with other 
schemes. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a block diagram of a prior art public key 
exchange system. 

FIG. 2 is a flow diagram of a prior art public key 
exchange transaction. 

FIG. 3 is a flow diagram illustrating the key exchange 
of the present invention. 

FIG. 4 is a block diagram of a computer system on 
which the present invention may be implemented. 

FIG. 5 is a diagram illustrating the shift and add 
operations for performing mod p arithmetic using Mer- 
senne primes. 

FIG. 6 is a diagram illustrating the operations for 
performing mod p arithmetic using Fermat numbers. 

FIG. 7 is a diagram illustrating the operations for 
performing mod p arithmetic using fast class numbers. 

FIG. 8 is a block diagram of the present invention. 

FIG. 9 is a flow diagram illustrating the operation of 
one embodiment of the present invention. 

DETAILED DESCRIPTION OF THE 
INVENTION 

An elliptic curve encryption scheme is described. In 
the following description, numerous specific details, 
such as number of bits, execution time, etc., are set forth 
in detail to provide a more thorough description of the 
present invention. It will be apparent, however, to one 
skilled in the art, that the present invention may be 
practiced without these specific details. In other in- 
stances, well known features have not been described in 
detail so as not to obscure the present invention. 

A disadvantage of prior art computer-implemented 
elliptic curve encryption schemes is they are unsatisfac- 
torily slow compared to other prior art computer- 
implemented encryption schemes. The modulo arithme- 
tic and elliptical algebra operations required in a prior 
art elliptic curve cryptosystem require that divisions be 
performed. Divisions increase computer CPU (central 
processing unit) computational overhead. CPU’s can 
perform addition and multiplication operations more 
quickly, and in fewer processing steps, than division 
operations. Therefore, prior art elliptic curve cryp- 
tosystems have not been previously practical or desir- 
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able as compared to other prior art cryptosystems, such 
as Diffie-Hellman and RSA schemes. 

The present invention provides methods and appara- 
tus for implementing an elliptic curve cryptosystem for 
public key exchange that does not require explicit divi- 5 
sion operations. The advantages of the preferred em- 
bodiment of the present invention are achieved by im- 
plementing fast classes of numbers, inversionless param- 
eterization, and FFT multiply mod operations. 

ELLIPTIC CURVE ALGEBRA 

The elliptic curve used with the present invention is 
comprised of points (x,y) e Fpk X Fpk satisfying: 

by 1 =x i +ax 2 +x Equation (7) 15 


together with a “point at infinity” a. 

Sender (“our”) and recipient (“their”) private keys 
are assumed to be integers, denoted: 


8 

“their” and “their end” refers to one or more senders 
and receivers, respectively. 

The public key exchange of the elliptic curve cryp- 
tosystem of the present invention is illustrated in the 
flow diagram of FIG. 3. 

Step 301 — At our end, a public key is computed: 
ourPub £ Fpk 

ourPub = (our Pri)° (x\,y\) Equation (12) 

Step 302 — At their end, a public key is computed: 
theirPub £ F p k 


theirPub=(theirPrif(x\.y\) Equation (13) 

Step 303 — The two public keys ourPub and theirPub 
are published, and therefore known to all users. 

Step 304 — A one-time pad is computed at our end: 
ourPad £ F^k 


ourPri, theirPri t Z 


20 


our Pod =(ourPri)\theirPub) — (ourPri)' (1 hei rPrif (x- 

hVl) Equation (14) 


Next, parameters are established for both sender and 
recipient. The parameters are: 

q, so that p=2q— C is a fast class number (q is the 
“bit-depth”). The value q is a publicly known 
value. 

k, so that Fpk will be the field, and where k is publicly 
known. 

(xi, yi) £ Fpk, the initial x-coordinate, which is pub- 
licly known. 

a £ F^k, the curve-defining parameter (b is not 
needed). The value a is also publicly known. 

The present invention uses an operation referred to as 
“elliptic multiplication” and represented by the symbol 
The operation of elliptic multiplication can be de- 
scribed as follows: 

An initial point (Xi, Yi) on the curve of Equation 7 is 
defined. For the set of integers n, expression n“(Xi, Y0 
denotes the point (X„, Y„) obtained via the following 
relations, known as adding and doubling rules. 

-*n-H = ((Jn — X\)/(X„— Xi)) 2 — X]— X„ Equation (8) 

} n + l = - 1 'l + ((Pn-Pl)/(2(n-2(i))(2(i-2(„ + i) Equation (9) 

When (Xi, Y i)=(X„, Y„), the doubling relations to be 
used are: 


Step 305 — A one-time pad is computed at their end: 
theirPad £ F^k 

theirPad = (theirPri) 0 (ourPub) = (theirPri) 0 (ourPri) 0 (x- 
l.J'l) Equation (15) 

The elements (theirPri) “(ourPri) “(xj, yi) being part 
of a finite field, form an abelian group. Therefore, the 
order of operation of equations 14 and 15 can be 
changed without affecting the result of the equations. 
Therefore: 

ourPad = {ourPri)°(theirPri)’(x\,y\) = (their Pri)' (our- 
Pri)' (x\,y\)= theirPad Equation (16) 

Since both the sender and receiver use the same one 
time pad, the message encrypted by the sender can be 
decrypted by the recipient, using the one time pad. 
(Note that step 305 can be executed prior to or contem- 
poraneously with any of steps 301-304). 

At step 306, the sender encrypts plaintext message P 
using ourPad, and transmits ciphertext message C to the 
receiver. At step 307, the receiver decrypts ciphertext 
message C to recover plaintext message P, using their- 
Pad. 


25 


30 


35 


40 


45 


Xn+\—((3X\ 2 +a)/2Yi) 2 — IXy, Equation (10) 

y„+ 1 = - Yi+«iXi 2 +a)/2 EiXATi — 2(„+l) Equation (11) 

Because arithmetic is performed over the field F^k, 
all operations are to be performed mod p. In particular, 
the division operation in equations 8 to 1 1 involve inver- 
sions mod p. 

ELLIPTIC CURVE PUBLIC KEY EXCHANGE 

It is necessary that both sender and recipient use the 
same set of such parameters. Both sender and recipient 
generate a mutual one-time pad, as a particular x-coor- 
dinate on the elliptic curve. 

In the following description, the terms “our” and 
“our end” refer to the sender. The terms “their” and 
“their end” refer to the receiver. This convention is 
used because the key exchange of the present invention 
may be accomplished between one or more senders and 
one or more receivers. Thus, “our” and “our end” and 


FAST CLASS NUMBERS 

Elliptic curve cryptosystems make use of modulo 
arithmetic to determine certain parameters, such as 
public keys, one time pads, etc. The use of modulo 
arithmetic serves the dual purpose of limiting the num- 
ber of bits in the results of equations to some fixed num- 
ber, and providing security. The discrete log problem is 
asymmetrical in part because of the use of modulo arith- 
metic. A disadvantage of modulo arithmetic is the need 
to perform division operations. The solution to a mod- 
ulo operation is the remainder when a number is divided 
by a fixed number. For example, 12 mod 5 is equal to 2. 
(5 divides into 12 twice with a remainder of 2, the re- 
mainder 2 is the solution). Therefore, modulo arithmetic 
requires division operations. 

Special fast classes of numbers are used in the present 
invention to optimize the modulo arithmetic required in 
the enciphering and deciphering process by eliminating 
the need for division operations. The class of numbers 
used in the present invention is generally described by 


50 


55 


60 


65 



5,271,061 


the form 29— C where C is an odd number and is rela- 
tively small, (e.g. no longer than the length of a com- 
puter word. 

When a number is of this form, modulo arithmetic 
can be accomplished using shifts and adds only, elimi- 
nating the need for divisions. One subset of this fast 
class is known as “Mersenne” primes, and are of the 
form 29— 1. Another class that can be used with the 
present invention are known as “Fermat” numbers of 
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FIG. 5, the shifts and adds are accomplished by first 
latching the q least significant bits (LSB’s) 501 of n, 
namely 0110101. The q LSB’s 502 of the remaining 
digits, namely 0001 1 10, are then added to q digits 501, 
resulting in sum 503 (100001 1). The next q LSB’s 504 of 
n, (0101 1 1 1), are added to sum 503, generating sum 505, 
(1 1 10010). Bits 506 of n (1 101 1 1 1) are added to sum 505, 
to result in sum 507, (11100001). 

the form 29+ 1, where q is equal to 2* Fermat numbers 10 ** £! If!’ ^ l°, Ugh feWCr 

may be prime or not prime in the present invention. * sum 507 S ene ™ te 

The present invention utilizes elliptic curve algebra 509 (HiOlll 1). This sum has greater than q bits. 

• - - - Therefore, the first q bits 510 (1 101 111) are summed 

with the next q bits 511 (in this case, the single bit 1), to 
generate sum 512 (1110000). This sum, having q or 
15 fewer bits, is the solution to n mod p. 
1 1 1 0000 = 2« + 2 5 + 2 4 = 64 + 3 2 + 1 6 = 1 1 2. 


over a finite field F p k where p=2«-C and p is a fast 
class number. Note that the equation 29-C does not 
result in a prime number for all values of q. and C. For 
example, when q is equal to 4, and C is equal to 1, 29- C 
is equal to 15, not a prime. However, when q has a value 
of 2, 3, or 5, and C = 1 the equation 29— C generates the 
prime numbers 3, 7, and 31. 

The present invention implements elliptic curves 
over a finite field F^k where p is 2q— C is an element of 
a fast class of numbers. When practiced on a computer 
using binary representations of data, the use of fast class 
numbers allows the mod p operations to be accom- 
plished using only shifts and adds. By contrast, the use 
of “slow” numbers requires that time consuming divi- 25 
sion operations be executed to perform mod p arithme- 
tic. The following examples illustrate the advantage of 
fast class number mod p arithmetic. 


20 


Thus, the solution 112 to n mod 127 is determined 
using only shifts and adds when an elliptic curve over a 
field of Mersenne primes is used. The use of Mersenne 
primes in conjunction with elliptic curve cryptosystems 
eliminates explicit divisions. 


EXAMPLE 1 
Base 10 mod p division 

Consider the 32 bit digital number n, where 
n = 11 101 101 11 10101 11 10001 11001 10101 (In base 10 
this number is 3,991,652,149). 

Now consider n mod p where p is equal to 127. The 
expression n mod 127 can be calculated by division as 
follows: 


127 , 


31430331 

'’3991652149 

381 

181 

127 

546 

508 

385 

381 

42 

0 _ 

421 

381 

404 

381 

239 

127 

112 


The remainder 1 12 is the solution to n mod 127. 
EXAMPLE 2 

Mersenne Prime mod p Arithmetic 


EXAMPLE 3 

Fermat Number mod p Arithmetic 

In the present invention, when p is a Fermat number 
where p=29+l, the mod p arithmetic can be accom- 
plished using only shifts, adds, and subtracts (a negative 
add), with no division required. Consider again n mod p 
30 where n is 3,991,652,149 and where p is now 257. When 
p is 257, q is equal to 8, from p=29+l; 
257=28+1=256+1=257. 

The mod p arithmetic can be accomplished by using 
the binary form of n, namely 
35 11101101111010111100011100110101. Referring to 
FIG. 6, the shifts and adds are accomplished by first 
latching the q (8) least significant bits (LSB’s) 601 
(00110101). The next q LSB’s 602 of the remaining 
digits, namely 11000111, are to be subtracted from q 
40 digits 601. To accomplish this, the l’s complement of 
bits 602 is generated and a 1 is added to the MSB side to 
indicate a negative number, resulting in bits 602' 
(1001 1 1000). This negative number 602' is added to bits 
601 to generate result 603 (101101101). The next q 
4 ' i LSB’s 604 of n, (11101011), are added to sum 603, gen- 
erating result 605, (1001011000). Bits 606 of n 
(1 1 101 101) are to be subtracted from result 605. There- 
fore, the l’s complement of bits 606 is generated and a 
negative sign bit of one is added on the MSB side to 
50 generate bits 606’ (100010010). Bits 606' is added to 
result 605, to generate sum 607, (1101101010). 

Sum 607 has more than q bits so the q LSB’s are 
latched as bits 608 (01101010). The next q bits (in this 
case, only two bits, 11) are added to bits 608, generating 
sum 610 (01101 101). This sum, having q or fewer bits, is 
the solution to n mod p. 
01101 101 =2 6 +2 5 + 23+2 2 +2°=64+32 + 8+4+ 1 = 1- 
09, 


In the present invention, when p is a Mersenne prime 60 
where p=29— 1, the mod p arithmetic can be accom- 
plished using only shifts and adds, with no division 
required. Consider again n mod p where n is 
3,991,652,149 and p is 127. When p is 127, q is equal to 
7, from p=29-l ; 127=2 7 - 1 = 128- 1 = 127. 

The mod p arithmetic can be accomplished by using 
the binary form of n, namely 
11101101111010111100011100110101. Referring to 


EXAMPLE 4 
Fast Class mod Arithmetic 

In the present invention, when p is a number of the 
class p = 29— C, where C is and odd number and is rela- 
65 tively small, (e.g. no greater than the length of a digital 
word), the mod p arithmetic can be accomplished using 
only shifts and adds, with no division required. Con- 
sider again n mod p where n is 685 and where p is 13. 
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When p is 13, q is equal to 4 and C is equal to 3, from 
p=2?-C; 13=2 1 2 3 4 5 6 7 * * — 3 = 16— 3=13. 

The mod p arithmetic can be accomplished by using 
the binary form of n, namely 1010101 101. Referring to 
FIG. 7, the shifts and adds are accomplished by first 5 
latching the q (4) least significant bits (LSB’s) 701 of n, 
namely 1 101. The remaining bits 702 (101010) are multi- 
plied by C (3) to generate product 703 (1111110). Prod- 
uct 703 is added to bits 701 to generate sum 704 
(1000101 1). The q least significant bits 705 (101 1) of sum 10 
704 are latched. The remaining bits 706 (1000) are multi- 
plied by C to generate product 707 (1 1000). Product 707 
is added to bits 705 to generate sum 708 (10001 1). The q 
least significant bits 709 (001 1) of sum 708 are latched. 
The remaining bits 710 (10) are multiplied by C to gen- 
erate product 711 (1 10). Product 711 is added to bits 709 
to generate sum 712 (1001). Sum 712, having q or fewer 
bits, is the solution to n mod p. 1001 =2 3 + 2°= 8 + 1 =9. 

685 divided by 13 results in a remainder of 9. The fast 20 
class arithmetic provides the solution using only shifts, 
adds, and multiplies. 

SHIFT AND ADD IMPLEMENTATION 

Fast Mersenne mod operations can be effected via a 2 5 
well known shift procedure. For p=2? — 1 we can use: 

x=(x&p)+(x> >q) Equation (17) 

a few times in order to reduce a positive x to the appro- 20 
priate residue value in the interval 0 through p— 1 inclu- 
sive. This procedure involves shifts and add operations 
only. Alternatively, we can represent any number x 
(mod p) by: 

*=<7+62fa + l)/2 = ( ai j) Equation (18) 

If another integer y be represented as (c, d), we have: 

xy(mod p)=(ac+2bd,ad+bc) Equation (19) 

40 

after which some trivial shift-add operations may be 
required to produce the correct reduced residue of xy. 

To compute an inverse (mod p), there are at least two 
ways to proceed. One is to use a binary form of the 
classical extended-GCD procedure. Another is to use a 
relational reduction scheme. The relational scheme 
works as follows: 

Given p=2?— 1, \^=Q (mod p), 

to return x-> (mod p): JQ 

1) Set (a,b)=(l, 0) and (y, z)=(x, p); 

2) If (y = =0) retum(z); 

3) Find e such that 2 e || y; 

4) Set a=29~ e a (mod p); 55 

5) If(y = = 1) retum(a); 

6) Set (a, b)=(a+b, a-b) and (y, z)=(y+z, y-z); 

7) Go to (2). 

The binary extended-GCD procedure can be per- 
formed without explicit division via the operation 60 
[a/b] 2 , defined as the greatest power of 2 not exceeding 
a/b: 

Given p, and x^tO (mod p), 

to return x _1 (mod p): 


12 

4) Set (x, vo)=(vo, x— uovo) and (uj, vi)=(vi, ui. 
-uovi); 

5) If (vj = =0) retum(x); else go to (3). 

The present invention may be implemented on any 
conventional or general purpose computer system. An 
example of one embodiment of a computer system for 
implementing this invention is illustrated in FIG. 4. A 
keyboard 410 and mouse 411 are coupled to a bi-direc- 
tional system bus 419. The keyboard and mouse are for 
introducing user input to the computer system and com- 
municating that user input to CPU 413. The computer 
system of FIG. 4 also includes a video memory 414, 
main memory 415 and mass storage 412, all coupled to 
bi-directional system bus 419 along with keyboard 410, 
mouse 411 and CPU 413. The mass storage 412 may 
include both fixed and removable media, such as mag- 
netic, optical or magnetic optical storage systems or any 
other available mass storage technology. The mass stor- 
age may be shared on a network, or it may be dedicated 
mass storage. Bus 419 may contain, for example, 32 
address lines for addressing video memory 414 or main 
memory 415. The system bus 419 also includes, for 
example, a 32-bit data bus for transferring data between 
and among the components, such as CPU 413, main 
memory 415, video memory 414 and mass storage 412. 
Alternatively, multiplex data/address lines may be used 
instead of separate data and address lines. 

In the preferred embodiment of this invention, the 
CPU 413 is a 32-bit microprocessor manufactured by 
Motorola, such as the 68030 or 68040. However, any 
other suitable microprocessor or microcomputer may 
be utilized. The Motorola microprocessor and its in- 
struction set, bus structure and control lines are de- 
scribed in MC68030 User’s Manual, and MC68040 
User’s Manual, published by Motorola Inc. of Phoenix, 
Ariz. 

Main memory 415 is comprised of dynamic random 
access memory (DRAM) and in the preferred embodi- 
ment of this invention, comprises 8 megabytes of mem- 
ory. More or less memory may be used without depart- 
ing from the scope of this invention. Video memory 414 
is a dual-ported video random access memory, and this 
invention consists, for example, of 256 kbytes of mem- 
ory. However, more or less video memory may be 
provided as well. 

One port of the video memory 414 is coupled to 
video multiplexer and shifter 416, which in turn is cou- 
pled to video amplifier 417. The video amplifier 417 is 
used to drive the cathode ray tube (CRT) raster monitor 
418. Video multiplexing shifter circuitry 416 and video 
amplifier 417 are well known in the art and may be 
implemented by any suitable means. This circuitry con- 
verts pixel data stored in video memory 414 to a raster 
signal suitable for use by monitor 418. Monitor 418 is a 
type of monitor suitable for displaying graphic images, 
and in the preferred embodiment of this invention, has a 
resolution of approximately 1020x832. Other resolu- 
tion monitors may be utilized in this invention. 

The computer system described above is for purposes 
of example only. The present invention may be imple- 
mented in any type of computer system or program- 
ming or processing environment. 

BLOCK DIAGRAM 


65 

1) If (x= = 1) return(l); 

2) Set (x, v0)=(0, 1) and (ui, vi)=(p, x); 

3) Set uo=[ui/vi] 2 ; 


FIG. 8 is a block diagram of the present invention. A 
sender, represented by the components within dashed 
line 801, encrypts a plaintext message P to a ciphertext 
message C. This message C is sent to a receiver, repre- 
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sented by the components within dashed line 802. The 
receiver 802 decrypts the ciphertext message C to re- 
cover the plaintext message P. 

The sender 801 comprises an encryption/decryption 
means 803, an elliptic multiplier 805, and a private key 5 
source 807. The encryption/decryption means 803 is 
coupled to the elliptic multiplier 805 through line 809. 
The elliptic multiplier 805 is coupled to the private key 
source 807 through line 811. 

The encryption/decryption means 804 of receiver 10 
802 is coupled to elliptic multiplier 806 through line 810. 
The elliptic multiplier 806 is coupled to the private key 
source 808 through line 812. 

The private key source 807 of the sender 801 contains 
the secure private password of the sender, “ourPri”. 15 
Private key source 807 may be a storage register in a 
computer system, a password supplied by the sender to 
the cryptosystem when a message is sent, or even a 
coded, physical key that is read by the cryptosystem of 
FIG. 8 when a message is sent or received. Similarly, 20 
the private key source 808 of receiver 802 contains the 
secure private password of the receiver, namely, “their- 
Pri”. 
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tions to be performed. The present invention reduces 
the number of divisions required for elliptic multiply 
operations by selecting the initial parameterization to be 
inversionless. This is accomplished by selecting the 
initial point so that the “Y” terms are not needed. 

In the present invention, both sender and recipient 
generate a mutual one-time pad, as a particular x-coor- 
dinate on the elliptic curve. By choosing the initial point 
(Xj, Yi) appropriately, divisions in the process of estab- 
lishing multiples n* (XI, Yl) are eliminated. In the steps 
that follow, the form 

n‘(X m /Z m ) Equation (20) 

for integers n, denotes the coordinate (X„+ m /Z„ +m ). 
For x=X/Z the x-coordinate of the multiple n(x, y) as 
X„/Z„, is calculated using a “binary ladder” method in 
accordance with the adding-doubling rules, which in- 
volve multiply mod operations: 

Ifi^j: 

Xi+j^Zi-fXjXj—ZiZj) 1 Equation (21) 


A separate source 813 stores publicly known informa- 
tion, such as the public keys “ourPub” and “theirPub” 25 
of sender 801 and receiver 802, the initial point (xi, yi), 
the field F^K, and curve parameter “a”. This source of 
information may be a published directory, an on-line 
source for use by computer systems, or it may transmit- 
ted between sender and receiver over a non-secure 30 


Z i+ j=X i -/.X i Zj-Z i Xj) 2 
Otherwise, if i=j: 
X 2i =(X?-zW 
Zii=AXjZiX? + aXjZj+ Z?) 


Equation (22) 

Equation (23) 
Equation (24) 


transmission medium. The public source 813 is shown 
symbolically connected to sender 801 through line 815 
and to receiver 802 through line 814. 

In operation, the sender and receiver generate a com- 
mon one time pad for use as an enciphering and deci- 35 
phering key in a secure transmission. The private key of 
the sender, ourPri, is provided to the elliptic multiplier 
805, along with the sender’s public key, theirPub. The 
elliptic multiplier 805 computes an enciphering key e* 
from (ourPri) ' (theirPub) mod p. The enciphering key 40 
is provided to the encryption/decryption means 803, 
along with the plaintext message P. The enciphering 
key is used with an encrypting scheme, such as the DES 
scheme or the elliptic curve scheme of the present in- 
vention, to generate a ciphertext message C. The ci- 45 
phertext message is transmitted to the receiver 802 over 
a nonsecure channel 816. 

The receiver 802 generates a deciphering key d* using 
the receiver’s private key, theirPri. TheirPri is provided 
from the private key source 808 to the elliptic multiplier 50 
804, along with sender’s public key, ourPub, (from the 
public source 813). Deciphering key d* is generated 
from (theirPri) * (ourPub) mod p. The deciphering key 
d* is equal to the enciphering key e* due to the abelian 
nature of the elliptic multiplication function. Therefore, 55 
the receiver 802 reverses the encryption scheme, using 
the deciphering key d& to recover the plaintext message 
P from the ciphertext message C. 

The encryption/decryption means and elliptic multi- 
plier of the sender 801 and receiver 802 can be imple- 60 
mented as program steps to be executed on a micro- 
processor. 

INVERSIONLESS PARAMETERIZATION 


These equations do not require divisions, simplifying 
the calculations when the present invention is imple- 
mented in the present preferred embodiment. This is 
referred to as “Montgomery parameterization” or “in- 
versionless parameterization” (due to the absence of 
division operations), and is described in “ Speeding the 
Pollard and Elliptic Curve Methods of Factorization" 
Montgomery, P. 1987 Math. Comp., 48 (243-264). 
When the field is simply F^, this scheme enables us to 
compute multiples nx via multiplication, addition, and 
(rapid) Mersenne mod operations. This also holds when 
the field is Fp2. Because p=3 (mod 4) for any Mersenne 
prime p, we may represent any X,- or Z,- as a complex 
integer, proceeding with complex arithmetic for which 
both real and imaginary post-multiply components can 
be reduced rapidly (mod p). We also choose Zi = 1, so 
that the initial point on the curve is (Xj/l, y) where y 
will not be needed. 

Using both fast class numbers and inversionless pa- 
rameterization, a public key exchange using the method 
of the present invention can proceed as follows. In the 
following example, the prime is a Mersenne prime. 
However, any of the fast class numbers described herein 
may be substituted. 

1) At “our” end, use parameter a, to compute a public 
key: ourPub £ F^k 

(X/Z)=ourPri°(Xi/l) 

ourPub =XZ -1 

2) At “their” end, use parameter a, to compute a 
public key: theirPub e F^k 

(X/Z)=theirPri°(Xi/l) 

theirPub =XZ-> 

3) The two public keys ourPub and theirPub are 


The use of fast class numbers eliminates division oper- 65 published, and therefore are known, 
ations in mod p arithmetic operations. However, as ^ Compute a one-time pad: ourPad £ F^k 

illustrated by equations 13-16 above, the elliptic multi- (X/Z)=ourPri (theirPub/1) 

ply operation requires a number of division opera- ourPad =XZ _1 

5) Compute a one-time pad: theirPad £ F^k 
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(X/Z) = theirPri°(ourPub/ 1 ) 

theirPad =XZ~' 

The usual key exchange has been completed, with 

ourPad=theirPad 

Message encryption/decryption between “our” end 5 
and “their” end may proceed according to this mutual 
pad. 

FFT MULTIPLY 

For very large exponents, such as q>5000, it is ad- 10 
vantageous to perform multiplication by taking Fourier 
transforms of streams of digits. FFT multiply works 
accurately, for example on a 68040-based NeXTstation, 
for general operations xy (mod p) where p=2?— 1 has 
no more than q=2 20 (about one million) bits. Further- 15 
more, for Mersenne p there are further savings when 
one observes that order-q cyclic convolution of binary 
bits is equivalent to multiplication (mod 2? — 1). The use 
of FFT multiply techniques results in the ability to 
perform multiply-mod in a time roughly proportional to 20 
q log q, rather than q 2 . 

Elliptic curve algebra can be sped up intrinsically 
with FFT techniques. Let X denote generally the Fou- 
rier transform of the digits of X, this transform being the 
same one used in FFT multiplication. Then we can 25 
compute coordinates from equations 21-24. To com- 
pute Xj+j for example, we can use five appropriate 
transforms, (X/, X/, Z /, Z /, and Z ,_, ) (some of which can 
have been stored previously) to create the transform: 

30 

In this way the answer Xj+j can be obtained via 7 
FFT’s. (Note that the usual practice of using 2 FFT’s 
for squaring and 3 FFT’s for multiplication results in 1 1 35 
FFT’s for the “standard” FFT approach). The ratio 
7/11 indicates a significant savings for the intrinsic 
method. In certain cases, such as when p is a Mersenne 
prime and one also has an errorless number-theoretic 
transform available, one can save spectra from the past 4^ 
and stay in spectral space for the duration of long calcu- 
lations; in this way reducing times even further. 

A flow diagram illustrating the operation of the pres- 
ent invention when using fast class numbers, inversion- 
less parameterization and FFT multiply operations is 45 
illustrated in FIG. 9. At step 901, a fast class number p 
is chosen where p=2?— C. The term q is the bit depth 
of the encryption scheme. The greater the number of 
bits, the greater the security. For large values of q, FFT 
multiply operations are used to calculate p. The term p 50 
is made publicly available. 

At step 902, the element k for the field Fpk is chosen 
and made public. At step 903, an initial point (Xj/Z) on 
the elliptic curve is selected. By selecting the initial 
point to be inversionless, costly divides are avoided. 55 
The initial point is made public. The curve parameter a 
is chosen at step 904 and made public. 

At step 905, the sender computes Xi/Z=our- 
Pri°(Xi/l) using inversionless parameterization. The 
sender’s public key is generated ourPub = (XZ - ')(mod ^ 
p). The receiver’s public key theirPub=(XZ-')(mod 
p), is generated at step 906. 
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A one time pad for the sender, ourPad, is generated at 
step 907. X/Z=(ourPri)°(theirPub/l). our- 
Pad =XZ~ '(mod p). At step 908, a one time pad for the 
receiver, theirPad, is generated. X/Z=(theirPri)°(our- 
Pub/1). theirPad =XZ~ '(mod p). The calculation of 
ourPad and theirPad utilizes FFT multiplies to elimi- 
nate the need to calculate the inversion Z _1 . At step 
909, the sender converts a plaintext message P to a 
ciphertext message C using ourPad. The ciphertext 
message C is transmitted to the receiver. At step 910, 
the receiver recovers the plaintext message P by deci- 
phering the ciphertext message C using theirPad. 

FEE SECURITY 

The algebraic factor M89 = 2 89 — 1, which is a Mer- 
senne prime, occurs with “natural” statistics when the 
elliptic curve method (ECM) was employed. This was 
shown in attempts to complete the factorization of 
M445 = 2 445 — 1 (this entry in the Cunningham Table 
remains unresolved as of this writing). In other words, 
for random parameters a the occurrence k(Xi/l)=0 
for elliptic curves over F p with p=Ms9 was statistically 
consistent with the asymptotic estimate that the time to 
find the factor Ms9 of M445 be 0(exp(V(2 log p log log 
p))). These observations in turn suggested that finding 
the group order over F p is not “accidentally” easier for 
Mersenne primes p, given the assumption of random a 
parameters. 

Secondly, to check that the discrete logarithm prob- 
lem attendant to FEE is not accidentally trivial, it can 
be verified, for particular a parameters, that for some 
bounded set of integers N 

(p^-lKXi/D^to 

The inequality avoids the trivial reduction of the 
discrete logarithm evaluation to the equivalent evalua- 
tion over a corresponding finite field. Failures of the 
inequality are extremely rare, in fact no non-trivial in- 
stances are known at this time for q>89. 

The present invention provides a number of advan- 
tages over prior art schemes, particularly factoring 
schemes such as the RSA scheme. The present inven- 
tion can provide the same security with fewer bits, 
increasing speed of operation. Alternatively, for the 
same number of bits, the system of the present invention 
provides greater security. 

Another advantage of the present cryptosystem over 
prior art cryptosystems is the distribution of private 
keys. In prior art schemes such as RSA, large prime 
numbers must be generated to create private keys. The 
present invention does not require that the private key 
be a prime number. Therefore, users can generate their 
own private keys, so long as a public key is generated 
and published using correct and publicly available pa- 
rameters p, F^k, (Xj/Z) and “a”. A user cannot gener- 
ate its own private key in the RSA system. 

The present invention can be implemented in the 
programming language C. The following are examples 
of programmatic interfaces (.h files) and test programs 
(.c files) suitable for implementing the present inven- 
tion. 


/* fee.h 

© 1991 NeXT Computer, Inc. All Rights Reserved. 

*/ 
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♦import "giants. h” 

♦define DEFAULT_VERSION 1 ♦define DEFAULT_DEPTH 4 ♦define DEFAULT_SEED 0 
♦define MAX_DEPTH 22 ♦define FEEJTOKEN "scicompg" ♦define BUF_SIZE 8192 
♦define KEY_TOO_SHORT 1 ♦define ILLEGAL_CHARS_IN_KEY 2 ♦define BADJTOKEN 
3 ♦define VERS I ON_PARAM_MI SMATCH 4 fdefine DEPTH_PARAH_MI SMATCH 5 
♦define SEED_PARAM_MI SMATCH 6 ♦define EXP_PARAM_MI SMATCH 7 ♦define 
A_PARAM_MI SMATCH 8 ♦define X1_PARAM_MI SMATCH 9 

typedef giant padkey; 

typedef struct { 

int version; int depth; int seed; int exp; int a; int xl; 
padkey x; 

) keystruct; typedef keystruct ‘key; 

int hexstr_illegal (char *pub_hex) ; /* Returns non-zero iff pub_hex is 
not a valid hex string. */ 

void hexstr_to_key (char *str, key public); /* Jams public (assumed pre- 
malloced) with hex str contents. */ 

char * new_hexstr_f rom_key (key public); /* Mallocs and returns a hex 
string representing public. */ 

key new_public_from_private (char ‘private, int depth, int seed); /* 
Mallocs and returns a new public key. If private***NULL, depth and seed 
are ignored, and the returned key is simply malloc'ed but without 
meaningful parameters. If private is a valid string, depth and seed are 
used to establish correct elliptic parameters, depth is 0 to MAx_DEPTH 
inclusive, while seed ** DEFAULT_SEED usually, but may be chosen to be 
any integer in order to change the encryption parameters for the given 
depth. The depth alone determines the time to generate one-time pads. 

*/ 

char * new_hexstr_from_pad() ; /* Malloc's and returns a hex string, 
null-terminated, representing the one-time pad. This function is usually 
called after a make_one_time_pad() call. 

*/ 

void generate_byte_pad (char *byte_pad, int len) ; /* Jams byte_pad with 
len bytes of the one-time pad. There is no null termination; just len 
bytes are modified. 

*/ 

int make_one_time_pad (char ‘private, key public); /* Calculate the 
internal one-time pad. */ 

void free_key(key pub); /* De-allocate an allocated key. */ 

void NXWritePublic (NXStream ‘out, key my_pub) ; /* Write a key to out 
stream. */ 

void NXReadPublic (NXStream ‘in, key pub); /* Read a key from in stream. 
*/ 

int keys_inconsistent (key publ, key pub2); /* Return non-zero if publ, 
pub2 have inconsistent parameters. 

*/ 
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int encrypt_stream (NXStream *in, NXStream *out, key their_pub, key 
my_pub, char *my_pri); /* Encrypt in to out. If my_pub!«=NULL, a 
consistency check for equivalent parameters with their_pub is performed, 
with possible non-zero error returned (and encryption aborted) . 
Otherwise, when my pub==NULL, an internal key is temporarily created for 
insertion into the out stream. 

*/ 

int dec rypt_st ream (NXStream *in, NXStream *out, char *my_pri); /* 

Decrypt in to out. Non-zero error value is returned if an internal token 
(that should have been present in the in stream) is not properly 
decrypted. 

*/ 

void set_crypt_pa rams (int *depth, int *exp, int *a, int *xl, int *seed) ; 

void str_to_giant (char *str, giant g) ; 

int ishex(char *s) ; 

void byte_to_hex (int b, char *s); 

void hex_to_byte (char *s, int *b) ; 

int hexstr_to_int (char **s); 

int int_to_hexstr (int n, char *str) ; 

int giant_to_hexstr (giant g, char *str); 

void make_base (int exp); , 

void init_elliptic () ; 

padkey get jpad ( ) ; 

void ell_even (giant xl, giant zl, giant x2, giant z2, int a, int q) ; 

void ell_odd (giant xl, giant zl, giant x2, giant z2, giant xor, giant 
zor, int q) ; 

int scompg (int n, giant g) ; 

void elliptic (giant xx, giant zz, giant k, int a, int q) ; 
unsigned char byt (padkey x, int k) ; 
int version_param(key pub); 

int depth_param(key pub) ; 
int seed_param(key pub) ; 

int exp_jparam(key pub); 

int a_param(key pub); 

int xl_param(key pub); 
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/* keytest.c 

Test program for public key exchange. Usage: > keytest depth 
MyPrivate TheirPrivate 

© 1991 NeXT Computer, Inc. All Rights Reserved 

*/ 

fimport <stdio.h> limport <streams/streams . h> limport "fee.h" 
main (int argc, char **argv) { 

key my_pub, their_pub; char *my_pub_str, *their_pub_str; char 
*padstr; int depth; 

if(argc<4) { 

fprintf (stderr, "Usage: keytest depth MyPrivate 
TheirPrivate\n") ; exit(O); 

) 

depth - atoi (argvfl] ) ; my_pub - 

new_public_from_private (argv [2] , depth, DEFAULT_SEED) ; 
their_pub - new_public_f rom_private (argv [3] , depth, 
DEFAULT_SEED) ; 

my_pub_str ■ new_hexstr_f rom_key (my_pub) ; their_pub_str - 
new_hexstr_from_key (theirjpub) ; 

printf ("My Public Key: \n%s\n",my_pub_str) ; printf ("Their 
Public Key: \n%s\n", their_pub_str) ; 

free (my_pub_str) ; free (their_pub_str) ; 

make_one_time__pad(argv(2] , their_pub) ; padstr ** 
new_hexstr_from_pad() ; printf ("One-time pad, using My Private 
and Their Public: \n%s\n", padstr) ; free (padstr) ; 

make_one_time_pad(argv[3] , my_pub) ; padstr - 
new_hexstr_f rom_pad () ; printf ("One-time pad, using Their 
Private and My Public : \n%s\n”, padstr) ; free (padstr) ; 

f ree_key (my_pub) ; f ree_key (their_pub) ; 

printf ("The two one-time pads should be equivalent. \n") ; 


/* solencrypt.c 

Solitaire encryption for personal files. Usage: > solencrypt <depth> 
file file. ell Private Key: 

© 1991 NeXT Computer, Inc. All Rights Reserved 

*/ 

limport <stdio.h> limport <st reams/st reams . h> limport "fee.h" 

main (int argc, char **argv) ( 

key my_pub; int depth; char *my_pri; NXStream *inStream, 
*outStream; 


if (argc<3) { 
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fprintf (stderr, "Usage: solencrypt <depth> file file.ell\nPrivate Key: 
\nwhere depth is an integer 0 through 22, def ault - 4.\n"); 

exit(0); ) if(argc==4) depth « atoi (argv [1 J ) ; else depth = 
DEFAULT DEPTH; 


/* Next, open the streams. */ 

inStream — NXMapFile (argv [argc-2] , NX_READONLY) ; outStream * 
NXOpenMemory (NULL, 0 , NX_WRI TEONLY ) ; 

/* Next, get private key, make public key, encrypt stream, blank the 
private key in memory. */ 

my_pri « (char *) getpass ("Private Key: ") ; my_pub » 
new_public_from_private (my_pri, depth, DEFAULT_SEED) ; 
encrypt_stream(inStream, outStream, my_pub, my_ pub, my_pri); 
bzero (my _pri, strlen (my_pri) ) ; f ree_key (my_pub) ; 

/* Next, flush and write. */ 

NXFlush (inStream) ; NXFlush (outStream) ; NXSaveToFile (outStream, 
argv [argc-1] ) ; NXClose (inStream) ; NXCloseMemory (outStream, 

NX FREEBUFFER) ; 


/* soldecrypt.c 

Solitaire encryption for personal files. Usage: > soldecrypt file. ell 
file Private Key: 

© 1991 NeXT Computer, Inc. All Rights Reserved 

*/ 

♦import <stdio.h> fimport <streams/streams.h> fimport "fee.h" 

main(int argc, char **argv) ( 

char *my_pri; NXStream *inStream, *outStream;. int err; 

if(argc<3) { 

fprintf (stderr, "Usage: soldecrypt file. ell 
fileXnPrivate Key: \n"); exit(0); 


/* Next, open the streams. */ 

inStream - NXMapFile (argv [1J , NX_READONLY) ; outStream * 
NXOpenMemory (NULL, 0, NX_WRI TEONLY) ; 

/* Next, decrypt the stream and blank the private key in memory. */ 

my_pri - (char *) getpass ("Private Key: "); err - 
decrypt_stream(inStream, outStream, my_pri); bzero (my_pri, 
strlen (my_pri) ) ; if (err) ( 

fprintf (stderr, "Error %d: bad private key.\n", err); 
exit (0) ; 


/* Next 


write and close. */ 
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NXSaveToFile (outStream, 
NXCloseMemory (outStream, 
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argv[2]); NXClose (inStream) , 
NX FREEBUFFER); 


I claim: 

1. A method for electronically generating a secure 
key comprising the steps of: 

providing a first private key source for providing a 
first private key; 

providing a second private key source for providing 
a second private key; 

generating a first public key in a public key source by 
performing an elliptic multiplication of said first 
private key and a point on an elliptic curve; 

generating a second public key in said public key 
source by performing an elliptic multiplication of 
said second private key and said point; 

generating an enciphering key in a first elliptic multi- 
plying means by performing an elliptic multiplica- 
tion of said first private key and said second public 
key; 

generating a deciphering key in a second elliptic mul- 
tiplying means by performing an elliptic multiplica- 
tion of said second private key and said first public 
key. 

2. The method of claim 1 wherein said point is a point 
on an elliptic curve over a finite field F p k, where p is 
one of a class of numbers such that mod p arithmetic is 
performed in a processor using only shift and add opera- 
tions. 

3. The method of claim 2 wherein p is given by 
2$— C, where C is a binary number having a length no 
greater than 32 bits. 

4. The method of claim 2 wherein p is a Mersenne 
prime given by 29 — 1. 

5. The method of claim 2 wherein p is a Fermat num- 
ber given by 29+ 1 and q is given by 2 m . 

6. The method of claim 1 wherein said point on said 
elliptic curve is (Xi, Yi). 

7. The method of claim 1 wherein said point on said 
elliptic curve is (Xi/Zj, Y) where Zj = l and 
n°(X m /Z m ) is an elliptic multiplication and denotes the 
coordinate (X„ +m /Z„ +m ). 

8. The method of claim 7 wherein Fast Fourier 
Transforms are used to compute X„ +m . 

9. The method of claim 8 where X denotes the Fou- 
rier transform of the digits of X, and, X n , Xm, Z n , Zm, 
and Z n— m denote the Fourier transforms^ the digits of 
X n , X m , Z„, Z m , and Z„_ m respectively and; 

Zn +m—Zn~ m(2[nZm “ZnZm)^' 

10. The method of claim 1 further including encrypt- 
ing means coupled to said elliptic multiplying means 
and receiving a plaintext message from a message 
source, said encrypting means for generating a cipher- 
text message using said enciphering key. 

11. The method of claim 10 further including de- 
crypting means coupled said encrypting means and said 
second elliptic multiplying means, said decrypting 
means for receiving said ciphertext message and decod- 
ing said plaintext message using said deciphering key. 

12. The method of claim 1 wherein said first public 
key is given by 

(first private key)'(Xi,Y\)=first public key 


where 

‘ is an elliptic multiplication, 

(Xi, Yi) is a point on an elliptic curve over a finite 
field Fpk, and 

p=29— C. 

13. The method of claim 12 wherein said second 
public key is given by: 

(second private key)*(X\, Y\)— second public key. 

14. A method for electronically generating a secure 
key comprising the step of: 

providing a first private key source for providing a 
first private key; 

providing a second private key source for providing 
a second private key; 

generating a first public key in a public key source by 
performing an elliptic multiplication of said first 
private key and a point, wherein said point is a 
point on an elliptic curve over a finite field Fpk and 
p is a Mersenne prime given by 29—1 and where 
mod p operations are performed using only shift 
and add operations; 

generating a second public key in said public key 
source by performing an elliptic multiplication of 
said second private key and said point; 

generating an enciphering key in a first elliptic multi- 
plying means by performing an elliptic multiplica- 
tion of said first private key and said second public 
key; 

generating a deciphering key in a second elliptic mul- 
tiplying means by performing an elliptic multiplica- 
tion of said private key and said first public key. 

15. The method of claim 14 wherein said mod p oper- 
ations are accomplished by: 

shifting q LSB’s of a binary number and adding the 
shifted q LSB’s to the remaining q LSB’s to gener- 
ate a sum; 

repeating the previous step on the sum until a sum is 
generated of q or fewer bits. 

16. A method for electronically generating a secure 
key comprising the steps of: 

providing a first private key source for providing a 
first private key; 

providing a second private key source for providing 
a second private key; 

generating a first public key in a public key source by 
performing an elliptic multiplication of said first 
private key and a point, wherein said point is a 
point on an elliptic curve over a finite field Fpk and 
p is a Fermat number given by 29+ 1 and q is given 
by 2 m and where mod p operations are performed 
using only shift, multiply and add operations; 

generating a second public key in said public key 
source by performing an elliptic multiplication of 
said second private key and said point; 

generating an enciphering key in a first elliptic multi- 
plying means by performing an elliptic multiplica- 
tion of said first private key and said second public 
key; 
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generating a deciphering key in a second elliptic mul- 
tiplying means by performing an elliptic multiplica- 
tion of said second private key and said first public 
key. 

17. The method of claim 16 wherein mod p opera- 
tions are accomplished on a binary number by shifting q 
bits and alternately subtracting and adding next succes- 
sive groups of q bits until the resultant has q or fewer 
{bits. 

18. A method for electronically generating a secure 
key comprising the steps of: 

providing a first private key source for providing a 
first private key; 

providing a second private key source for providing 
a second private key; 

generating a first public key in public key source by 
performing an elliptic multiplication of said first 
private key and a point, wherein said point is a 
point on an elliptic curve over a finite field F p k and 
p is given by 2?— C, where C is a binary number 
having a length no greater than 32 bits and where 
mod p operations are performed using only shift, 


subtract and add operations; 

generating a second public key in said public key 
source by performing an elliptic multiplication of 
said second private key and said point; 

5 generating an enciphering key in a first elliptic multi- 
plying means by performing an elliptic multiplica- 
tion of said first private key and said second public 
key; 

generating a deciphering key in a second elliptic mul- 

10 tiplying means by performing an elliptic multiplica- 
tion of said second private key and said first public 
key. 

19. The method of claim 18 wherein mod p opera- 
tions are accomplished by: 

15 (a) latching q bits of a binary number; 

(b) multiplying the remainder of said binary number 
by C to generate a product; 

(c) adding said product to said q bits to generate a 
sum; 

20 (d) repeating steps (a)-(c) on said sum until q or fewer 

bits remain. 
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